Fundamentals of Information

Systems Security

Lesson 5
Access Controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective(s)
 Explain the role of access controls in an IT
infrastructure.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Access control concepts and technologies
 Formal models of access control
 How identity is managed by access control
 Developing and maintaining system access
controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 3
All rights reserved.
 Defining Access Control
 The process of protecting a resource so
that it is used only by those allowed to
 Prevents unauthorized use
 Mitigations put into place to protect a
resource from a threat

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 4
All rights reserved.
 Four Parts of Access Control
Access Control
Component Description
Identification Who is asking to access the
asset?
Authentication Can their identities be verified?

Authorization What, exactly, can the requestor

Accountability
Fundamentals of Information Systems Security
access? And what can they do?
How are actions traced to an
individual to ensure the person
who makes data or system
changes can be identified?
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com Page 5
All rights reserved.
 Policy Definition and Policy
Enforcement Phases
 Policy definition phase—Who has access
and what systems or resources they can use
• Tied to the authorization phase
 Policy enforcement phase—Grants or
rejects requests for access based on the
authorizations defined in the first phase
• Tied to identification, authentication, and
accountability phases

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 6
All rights reserved.
 Two Types of Access Controls

•Controls entry into

Physical buildings, parking lots,
and protected areas

•Controls access to a
Logical computer system or
network

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 7
All rights reserved.
 Physical Access Control
 Smart cards are an example
 Programmed with ID number
 Used at parking lots, elevators, office doors
 Shared office buildings may require an
additional after hours card
 Cards control access to physical resources

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 8
All rights reserved.
 Logical Access Control
 Deciding which users can get into a system
 Monitoring what each user does on that
system
 Restraining or influencing a user’s behavior
on that system

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 9
All rights reserved.
 The Security Kernel
 Enforces access control for computer
systems
 Central point of access control
 Implements the reference monitor concept

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 10
All rights reserved.
 Enforcing Access Control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 11
All rights reserved.
 Access Control Policies
Four central components of access control:
•People who use the system or
Users processes (subjects)

Resources •Protected objects in the system

•Activities that authorized users

Actions can perform on resources

•Optional conditions that exist

Relationships between users and resources

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 12
All rights reserved.
 Logical Access Control Solutions
Logical Controls Solutions
Biometrics • Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry
• Dynamic: Voice inflections, keyboard strokes, and
signature motions
Tokens • Synchronous or asynchronous
• Smart cards and memory cards

Passwords • Stringent password controls for users

• Account lockout policies
• Auditing logon events

Single sign-on • Kerberos process

• Secure European System for Applications in a
Multi-Vendor Environment (SESAME)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 13
All rights reserved.
 Authorization Policies

Group
Authority-level
Authorization membership
policy
policy

User-
assigned
privileges

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 14
All rights reserved.
 Methods and Guidelines for
Identification
• Username
Methods • Smart card
• Biometrics

• Actions
Guidelines
• Accounting

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 15
All rights reserved.
 Authentication Types
Knowledge Something you know

Ownership • Something you have

Characteristics • Something unique to you

Location • Somewhere you are

• Something you do/how you do

Action
it

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 16
All rights reserved.
 Authentication by Knowledge
 Password
• Weak passwords easily cracked by brute-force
or dictionary attack
• Password best practices
 Passphrase
• Stronger than a password
 Account lockout policies
 Audit logon events

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 17
All rights reserved.
 Authentication by Ownership
 Synchronous token—Calculates a number at
both the authentication server and the device
• Time-based synchronization system
• Event-based synchronization system
• Continuous authentication

 Asynchronous token
• USB token
• Smart card
• Memory cards (magnetic stripe)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 18
All rights reserved.
 Asynchronous Token Challenge-
Response

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 19
All rights reserved.
 Authentication by
Characteristics/Biometrics

Static Dynamic
(physiological) (behavioral)
measures measures

What you
What you do
are

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 20
All rights reserved.
 Concerns Surrounding Biometrics

•Accuracy

Reaction
Acceptability
time

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 21
All rights reserved.
 Types of Biometrics
Facial Voice
Fingerprint recognition pattern

Keystroke
Palm print Iris scan
dynamics

Hand Signature
Retina scan
geometry dynamics

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 22
All rights reserved.
 Authentication by Location and
Action
 Location
• Strong indicator of authenticity
• Additional information to suggest granting
or denying access to a resource
 Action
• Stores the patterns or nuances of how you
do something
• Record typing patterns

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 23
All rights reserved.
 Single Sign-On (SSO)
 Sign on to a computer or network once
 Identification and authorization credentials
allow user to access all computers and
systems where authorized
 Reduces human error
 Difficult to put in place

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 24
All rights reserved.
 SSO Processes

Kerberos

Secure European System for Applications in

a Multi-Vendor Environment (SESAME)

Lightweight Directory Access Protocol

(LDAP)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 25
All rights reserved.
 Policies and Procedures for
Accountability

Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 26
All rights reserved.
 Formal Models of Access Control

Discretionary access control (DAC)

Mandatory access control (MAC)

Nondiscretionary access control

Rule-based access control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 27
All rights reserved.
 Discretionary Access Control
 Operating systems-based DAC policy
considerations
• Access control method
• New user registration
• Periodic review
 Application-based DAC
 Permission levels

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 28
All rights reserved.
 Mandatory Access Control
 Determine the level of restriction by how
sensitive the resource is (classification
label)
 System and owner make the decision to
allow access
 Temporal isolation/time-of-day restrictions
 MAC is stronger than DAC

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 29
All rights reserved.
 Nondiscretionary Access Control
 Access rules are closely managed by security
administrator, not system owner or ordinary
users
 Sensitive files are write-protected for integrity
and readable only by authorized users
 More secure than discretionary access control
 Ensures that system security is enforced and
tamperproof

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 30
All rights reserved.
 Rule-Based Access Control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 31
All rights reserved.
 Access Control Lists

Linux and OS X

Permissions • Read, write, execute

Applied to • File owners, groups, global users

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 32
All rights reserved.
 Access Control Lists (cont.)

Windows

Share permissions •Full, change, read, deny

•Full, modify, list folder contents,

Security
read-execute, read, write,
permissions
special, deny

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 33
All rights reserved.
 An Access Control List

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 34
All rights reserved.
 Role-Based Access Control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 35
All rights reserved.
 Content-Dependent Access Control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 36
All rights reserved.
 Constrained User Interface

Methods of constraining users

Physically
Database constrained
Menus Encryption
views user
interfaces

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 37
All rights reserved.
 Other Access Control Models

Bell-LaPadula model

Biba integrity model

Clark and Wilson integrity model

Brewer and Nash integrity model

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 38
All rights reserved.
 Brewer and Nash Integrity Model

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 39
All rights reserved.
 Effects of Breaches in Access
Control
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 40
All rights reserved.
 Threats to Access Controls
 Gaining physical access
 Eavesdropping by observation
 Bypassing security
 Exploiting hardware and software
 Reusing or discarding media
 Electronic eavesdropping
 Intercepting communication
 Accessing networks
 Exploiting applications
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 41
All rights reserved.
 Effects of Access Control Violations

Loss of customer confidence

Loss of business opportunities

New regulations imposed on the organization

Bad publicity

More oversight

Financial penalties

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 42
All rights reserved.
 Credential and Permissions
Management
 Systems that provide the ability to collect,
manage, and use the information
associated with access control
 Microsoft offers Group Policy and Group
Policy Objects (GPOs) to help
administrators manage access controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 43
All rights reserved.
 Centralized and Decentralized
Access Control
 Centralized authentication, authorization, and
accounting (AAA) servers
• RADIUS: Most popular; two configuration files
• TACACS+: Internet Engineering Task Force (IETF)
standard; one configuration file
• DIAMETER: Base protocol and extensions
• SAML: Open standard based on XML for exchanging
both authentication and authorization data

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 44
All rights reserved.
 Decentralized Access Control
 Access control is in the hands of the people
closest to the system users
 Password Authentication Protocol (PAP)
 Challenge-Handshake Authentication Protocol
(CHAP)
 Mobile device authentication, Initiative for Open
Authentication (OATH)
• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 45
All rights reserved.
 Privacy
 Communicate expectations for privacy in acceptable
use policies (AUPs) and logon banners
 Monitoring in the workplace includes:
• Opening mail or email
• Using automated software to check email
• Checking phone logs or recording phone calls
• Checking logs of web sites visited
• Getting information from credit-reference agencies
• Collecting information through point-of-sale (PoS)
terminals
• Recording activities on closed-circuit television (CCTV)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 46
All rights reserved.
 Cloud Computing
Category Description
Private All components are managed for a single
organization. May be managed by the organization
or by a third-party provider.
Community Components are shared by several organizations
and managed by one of the participating
organizations or by a third party.

Public Available for public use and managed by third-party

providers.
Hybrid Contains components of more than one type of
cloud, including private, community, and public
clouds.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 47
All rights reserved.
 Advantages/Disadvantages of
Cloud Computing
Advantages Disadvantages
 No need to maintain a  More difficult to keep
data center private data secure
 No need to maintain a  Greater danger of
disaster recovery site private data leakage
 Outsourced  Demand for constant
responsibility for network access
performance and  Client needs to trust the
connectivity outside vendor
 On-demand provisioning

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 48
All rights reserved.
 Summary
 Access control concepts and technologies
 Formal models of access control
 How identity is managed by access control
 Developing and maintaining system access
controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 49
All rights reserved.